I thought I would write this article as incident response is a vital function of cyber security within any business. Regardless of your role in cyber security, you should be aware of what incident response is and why it exists. To help you learn this, I am going to include my favourite incident response recources.

WHAT IS IT?

Incident response is the way a company plans to, and then handles; a cyber security attack or breach. The point of this is to ensure cyber security incidents are dealt with in a timely matter and the damage and costs of attacks are kept to a minimum.

THE TEAM

Incident response is dealt with by CSIRT (Cyber Security Incident Response Team) This team will usually include security staff and other relevant IT staff along with legal, human resources and public relations staff. The reasons for these members are :

• Executive Member/s – This will include the CISO and / or other relevant board members who need to be kept up to date with the ongoing incident and assign budgets if required.
• Security Staff – The cyber security analyst/s responsible for investigating and dealing with the actual attack or breach.
• Other IT Staff – Incident Management to organise required staff and any other required staff for actions in relation to the attack or breach.
• Legal – Decides when to disclose incidents, such as a breach, and deals with any of the fallout resulting from the security incident, such as shareholder or employee lawsuits.
• Human Resources – Deals with any aspect of the attack or breach relating to employees, including if employees were involved in the incident – e.g. insider threats. Also involved with communications to employees.
• Public Relations – Deal with inquiries from the media along with communicating with employees, customers and partners.

THE PLAN

The CSIRT team will follow an incident response plan. This is a set of instructions particular to a business which will be followed to detect, contain, eradicate and recover from an attack or breach. Lets quickly go through the 6 common steps of an incident response plan.

Preperation

The first step is to prepare for responding to a cyber security incident. This includes having the following things ready :

• Response plan
• Company policies
• Documented members of CSIRT team with contact details
• Documented details of potentially involved 3rd parties
• Employees trained correctly for their roles
• Test your incident response plan correctly
• Ensure all aspects of your incident response are correctly funded due to the importance of incident response

Identification

Next up is identifying if an attack or a breach is occurring or has occurred.

During this phase you need to figure out when the event happened, the point of entry, how it was discovered and who discovered the breach. You also need to discover the scope of the incident and if it effects any production or critical systems.

Containment

Put simply, during the containment stage you need to ensure the breach or attack is contained to limit any damage on both a short and long term basis.

Eradication

After an incident is contained, the next step is to eradicate the breach or attack. This will include activities such as removing malicious files, re-imaging systems, performing backups and updating or hardening systems.

Recovery

Once the attack or breach is contained and eradicated, the next stage is getting systems back to a fully restored, working and secured state. This also includes continued monitoring for any further signs of abnormal activity on the affected systems.

Lessons Learned

Once all previous steps are complete, it is important to document any lessons which have been learned from the attack or breach. This can include things such as improving security, your incident response plan or your training for employees. Together, the aim is to ensure this type of attack does not succeed again.

WHY DOES IT EXIST?

Cyber security incident response is vital. This is to ensure the following points :

Data Protection – The first point is to protect the data of your company. Data integrity is vital to any company, regardless if the data belongs to the company, employees, third parties or their customers. Attackers may hold data to ransom or leak it to the public and it is vital this data is kept secure to ensure PII and company data are kept safe.

Revenue Protection – The average cost of a data breach continues to grow year by year. This can either be due to paying ransoms, repairing systems, legal fees, lost custom or drops in stock prices; amongst a variety of potential reasons.

The faster and better you respond to an attack or breach, the less costs are going to be for your business to remediate and fix the problem.

Uphold Reputation – Finally, you need to ensure the reputation of your business is upheld. If a security breach is not dealt with well, customers may decide to take their custom elsewhere. Stock prices will fall if reputation is affected badly; and large fines may be handed out depending on the size of the breach and the country it takes place in.

HOW TO LEARN INCIDENT RESPONSE FOR FREE!

I firmly believe that anyone working in cyber security should have a good understanding of incident response. Here are some of my favourite resources to learn incident response yourself.

Incident Response Playbooks – This site has a large number of great resources around IR. The best part is they have full length, free playbooks for the most common types of attack. This includes phishing, data theft, malware outbreaks and much more. https://www.incidentresponse.com/playbooks/

Applied Incident Response – Variety of free resources for incident responders – https://www.appliedincidentresponse.com/resources/

Incident Response Playbooks – 5 further free incident response playbooks – https://ayehu.com/cyber-security-incident-response-automation/top-5-cyber-security-incident-response-playbooks/

Free Short Course – Free 5 week course to learn incident handling – https://www.itmasters.edu.au/free-short-course-information-security-incident-handling/

Incident Management Guide – Free incident management guide from the Belgium Centre for Cyber Security – https://www.cybersecuritycoalition.be/content/uploads/cybersecurity-incident-management-guide-EN.pdf

Incident Response and Advanced Forensics – Free 8 hour course which explains IR, shows you how to create 3 of your own plans and also details advanced forensic techniques – https://www.cybrary.it/skill-certification-course/incident-response-certification-training-course/

How to develop an IR Plan – 9 step guide to build your own IR plan – https://resources.infosecinstitute.com/category/certifications-training/csih-certification/incident-response-plan-steps/#gref

Exabeam IR Plan guide – Indepth Exabeam which covers all the bases of how to create your own IR plan with various tips and articles – https://www.exabeam.com/incident-response/incident-response-plan/

UK NCSC IR guide – Guide from the UK NCSC which includes processes, teams and how to build your own IR function – https://www.ncsc.gov.uk/collection/incident-management/incident-response

Thanks for reading the blog post, I hope it helps you to learn incident response. If you would like to discuss this post further, or just have a chat; contact me at https://twitter.com/blueteamblog